def test_custom_authorization_provider(self): from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() # User is 'test_user' (defined in the authorization policy file) open_session_req.username = '******' open_session_req.configuration = dict() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Try to query a table we are not authorized to access. self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch_seq.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) assert 'User \'%s\' does not have privileges to access' % 'test_user' in\ str(execute_statement_resp) # Now try the same operation on a table we are authorized to access. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp)
def _test_authorized_proxy(self): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 # Try to query a table we are not authorized to access. self.session_handle = self._open_hs2("hue", { "impala.doas.user": getuser() }).sessionHandle bad_resp = self._execute_hs2_stmt("describe tpch_seq.lineitem", False) assert "User '%s' does not have privileges to access" % getuser() in \ str(bad_resp) assert self._wait_for_audit_record(user=getuser(), impersonator="hue"), \ "No matching audit event recorded in time window" # Now try the same operation on a table we are authorized to access. good_resp = self._execute_hs2_stmt("describe tpch.lineitem") TestHS2.check_response(good_resp) # Verify the correct user information is in the runtime profile. query_id = operation_id_to_query_id( good_resp.operationHandle.operationId) profile_page = self.cluster.impalads[ 0].service.read_query_profile_page(query_id) self._verify_profile_user_fields(profile_page, effective_user=getuser(), delegated_user=getuser(), connected_user="******") # Try to delegate a user we are not authorized to delegate to. resp = self._open_hs2("hue", {"impala.doas.user": "******"}, False) assert "User 'hue' is not authorized to delegate to 'some_user'" in str( resp) # Create a new session which does not have a do_as_user and run a simple query. self.session_handle = self._open_hs2("hue", dict()).sessionHandle resp = self._execute_hs2_stmt("select 1") # Verify the correct user information is in the runtime profile. Since there is # no do_as_user the Delegated User field should be empty. query_id = operation_id_to_query_id(resp.operationHandle.operationId) profile_page = self.cluster.impalads[ 0].service.read_query_profile_page(query_id) self._verify_profile_user_fields(profile_page, effective_user="******", delegated_user="", connected_user="******")
def _execute_hs2_stmt(self, statement, verify=True): """ Executes an hs2 statement :param statement: the statement to execute :param verify: If set to true, will thrown an exception on a failed hs2 execution :return: the result of execution """ from tests.hs2.test_hs2 import TestHS2 execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = statement result = self.hs2_client.ExecuteStatement(execute_statement_req) if verify: TestHS2.check_response(result) return result
def __execute_hs2_stmt(self, statement, verify=True): """ Executes an hs2 statement :param statement: the statement to execute :param verify: If set to true, will thrown an exception on a failed hs2 execution :return: the result of execution """ from tests.hs2.test_hs2 import TestHS2 execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = statement result = self.hs2_client.ExecuteStatement(execute_statement_req) if verify: TestHS2.check_response(result) return result
def _open_hs2(self, user, configuration, verify=True): """ Open a session with hs2 :param user: the user to open the session :param configuration: the configuration for the session :param verify: If set to true, will thrown an exception on failed session open :return: the result of opening the session """ from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() open_session_req.username = user open_session_req.configuration = configuration resp = self.hs2_client.OpenSession(open_session_req) if verify: TestHS2.check_response(resp) return resp
def test_impersonation(self): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() open_session_req.username = '******' open_session_req.configuration = dict() open_session_req.configuration['impala.doas.user'] = getuser() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Try to query a table we are not authorized to access. self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch_seq.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) assert 'User \'%s\' does not have privileges to access' % getuser() in\ str(execute_statement_resp) assert self.__wait_for_audit_record(user=getuser(), impersonator='hue'),\ 'No matching audit event recorded in time window' # Now try the same operation on a table we are authorized to access. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp) # Try to impersonate as a user we are not authorized to impersonate. open_session_req.configuration['impala.doas.user'] = '******' resp = self.hs2_client.OpenSession(open_session_req) assert 'User \'hue\' is not authorized to impersonate \'some_user\'' in str( resp) self.socket.close() self.socket = None
def __open_hs2(self, user, configuration, verify=True): """ Open a session with hs2 :param user: the user to open the session :param configuration: the configuration for the session :param verify: If set to true, will thrown an exception on failed session open :return: the result of opening the session """ from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() open_session_req.username = user open_session_req.configuration = configuration resp = self.hs2_client.OpenSession(open_session_req) if verify: TestHS2.check_response(resp) return resp
def test_impersonation(self): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() open_session_req.username = '******' open_session_req.configuration = dict() open_session_req.configuration['impala.doas.user'] = getuser() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Try to query a table we are not authorized to access. self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch_seq.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) assert 'User \'%s\' does not have privileges to access' % getuser() in\ str(execute_statement_resp) assert self.__wait_for_audit_record(user=getuser(), impersonator='hue'),\ 'No matching audit event recorded in time window' # Now try the same operation on a table we are authorized to access. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) TestHS2.check_response(execute_statement_resp) # Try to impersonate as a user we are not authorized to impersonate. open_session_req.configuration['impala.doas.user'] = '******' resp = self.hs2_client.OpenSession(open_session_req) assert 'User \'hue\' is not authorized to impersonate \'some_user\'' in str(resp) self.socket.close() self.socket = None
def __run_stmt_and_verify_profile_access(self, stmt, has_access, close_operation): """Runs 'stmt' and retrieves the runtime profile and exec summary. If 'has_access' is true, it verifies that no runtime profile or exec summary are returned. If 'close_operation' is true, make sure the operation is closed before retrieving the profile and exec summary.""" from tests.hs2.test_hs2 import TestHS2 execute_statement_resp = self.__execute_hs2_stmt(stmt, False) if close_operation: close_operation_req = TCLIService.TCloseOperationReq() close_operation_req.operationHandle = execute_statement_resp.operationHandle TestHS2.check_response(self.hs2_client.CloseOperation(close_operation_req)) get_profile_req = ImpalaHiveServer2Service.TGetRuntimeProfileReq() get_profile_req.operationHandle = execute_statement_resp.operationHandle get_profile_req.sessionHandle = self.session_handle get_profile_resp = self.hs2_client.GetRuntimeProfile(get_profile_req) if has_access: TestHS2.check_response(get_profile_resp) assert "Plan: " in get_profile_resp.profile else: assert "User %s is not authorized to access the runtime profile or "\ "execution summary." % (getuser()) in str(get_profile_resp) exec_summary_req = ImpalaHiveServer2Service.TGetExecSummaryReq() exec_summary_req.operationHandle = execute_statement_resp.operationHandle exec_summary_req.sessionHandle = self.session_handle exec_summary_resp = self.hs2_client.GetExecSummary(exec_summary_req) if has_access: TestHS2.check_response(exec_summary_resp) else: assert "User %s is not authorized to access the runtime profile or "\ "execution summary." % (getuser()) in str(exec_summary_resp)
def test_custom_authorization_provider(self): from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() # User is 'test_user' (defined in the authorization policy file) open_session_req.username = '******' open_session_req.configuration = dict() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Try to query a table we are not authorized to access. self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch_seq.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) assert 'User \'%s\' does not have privileges to access' % 'test_user' in\ str(execute_statement_resp) # Now try the same operation on a table we are authorized to access. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) TestHS2.check_response(execute_statement_resp)
def __test_impersonation(self): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() # Connected user is 'hue' open_session_req.username = '******' open_session_req.configuration = dict() # Delegated user is the current user open_session_req.configuration['impala.doas.user'] = getuser() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Try to query a table we are not authorized to access. self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch_seq.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) assert 'User \'%s\' does not have privileges to access' % getuser() in\ str(execute_statement_resp) assert self.__wait_for_audit_record(user=getuser(), impersonator='hue'),\ 'No matching audit event recorded in time window' # Now try the same operation on a table we are authorized to access. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp) # Verify the correct user information is in the runtime profile query_id = operation_id_to_query_id( execute_statement_resp.operationHandle.operationId) profile_page = self.cluster.impalads[ 0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user=getuser(), delegated_user=getuser(), connected_user='******') # Try to user we are not authorized to delegate to. open_session_req.configuration['impala.doas.user'] = '******' resp = self.hs2_client.OpenSession(open_session_req) assert 'User \'hue\' is not authorized to delegate to \'some_user\'' in str( resp) # Create a new session which does not have a do_as_user. open_session_req.username = '******' open_session_req.configuration = dict() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Run a simple query, which should succeed. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = resp.sessionHandle execute_statement_req.statement = "select 1" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp) # Verify the correct user information is in the runtime profile. Since there is # no do_as_user the Delegated User field should be empty. query_id = operation_id_to_query_id( execute_statement_resp.operationHandle.operationId) profile_page = self.cluster.impalads[ 0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user='******', delegated_user='', connected_user='******') self.socket.close() self.socket = None
def test_access_runtime_profile(self): from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() open_session_req.username = getuser() open_session_req.configuration = dict() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Current user can't access view's underlying tables self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "explain select * from functional.complex_view" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) assert 'User \'%s\' does not have privileges to EXPLAIN' % getuser() in\ str(execute_statement_resp) # User should not have access to the runtime profile self.__run_stmt_and_verify_profile_access( "select * from functional.complex_view", False, False) self.__run_stmt_and_verify_profile_access( "select * from functional.complex_view", False, True) # Repeat as a delegated user open_session_req.username = '******' open_session_req.configuration = dict() # Delegated user is the current user open_session_req.configuration['impala.doas.user'] = getuser() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) self.session_handle = resp.sessionHandle # User should not have access to the runtime profile self.__run_stmt_and_verify_profile_access( "select * from functional.complex_view", False, False) self.__run_stmt_and_verify_profile_access( "select * from functional.complex_view", False, True) # Create a view for which the user has access to the underlying tables. open_session_req.username = getuser() open_session_req.configuration = dict() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = """create view if not exists tpch.customer_view as select * from tpch.customer limit 1""" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp) # User should be able to run EXPLAIN execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = """explain select * from tpch.customer_view""" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp) # User should have access to the runtime profile and exec summary self.__run_stmt_and_verify_profile_access( "select * from tpch.customer_view", True, False) self.__run_stmt_and_verify_profile_access( "select * from tpch.customer_view", True, True) # Repeat as a delegated user open_session_req.username = '******' open_session_req.configuration = dict() # Delegated user is the current user open_session_req.configuration['impala.doas.user'] = getuser() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) self.session_handle = resp.sessionHandle # User should have access to the runtime profile and exec summary self.__run_stmt_and_verify_profile_access( "select * from tpch.customer_view", True, False) self.__run_stmt_and_verify_profile_access( "select * from tpch.customer_view", True, True) # Clean up execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "drop view if exists tpch.customer_view" execute_statement_resp = self.hs2_client.ExecuteStatement( execute_statement_req) TestHS2.check_response(execute_statement_resp)
def __test_impersonation(self, role): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 try: self.session_handle = self.__open_hs2(getuser(), dict()).sessionHandle self.__execute_hs2_stmt("create role {0}".format(role)) self.__execute_hs2_stmt( "grant all on table tpch.lineitem to role {0}".format(role)) self.__execute_hs2_stmt("grant role {0} to group {1}".format( role, grp.getgrnam(getuser()).gr_name)) self.__execute_hs2_stmt("grant role {0} to group {1}".format( role, grp.getgrgid(os.getgid()).gr_name)) # Try to query a table we are not authorized to access self.session_handle = self.__open_hs2('hue', { 'impala.doas.user': getuser() }).sessionHandle bad_resp = self.__execute_hs2_stmt("describe tpch_seq.lineitem", False) assert 'User \'%s\' does not have privileges to access' % getuser() in\ str(bad_resp) assert self.__wait_for_audit_record(user=getuser(), impersonator='hue'),\ 'No matching audit event recorded in time window' # Now try the same operation on a table we are authorized to access. good_resp = self.__execute_hs2_stmt("describe tpch.lineitem") TestHS2.check_response(good_resp) # Verify the correct user information is in the runtime profile query_id = operation_id_to_query_id( good_resp.operationHandle.operationId) profile_page = self.cluster.impalads[ 0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user=getuser(), delegated_user=getuser(), connected_user='******') # Try to user we are not authorized to delegate to. resp = self.__open_hs2('hue', {'impala.doas.user': '******'}, False) assert 'User \'hue\' is not authorized to delegate to \'some_user\'' in str( resp) # Create a new session which does not have a do_as_user and run a simple query. self.session_handle = self.__open_hs2('hue', dict()).sessionHandle resp = self.__execute_hs2_stmt("select 1") # Verify the correct user information is in the runtime profile. Since there is # no do_as_user the Delegated User field should be empty. query_id = operation_id_to_query_id( resp.operationHandle.operationId) profile_page = self.cluster.impalads[ 0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user='******', delegated_user='', connected_user='******') finally: self.session_handle = self.__open_hs2(getuser(), dict()).sessionHandle self.__execute_hs2_stmt( "grant all on server to role {0}".format(role)) self.__execute_hs2_stmt("grant role {0} to group {1}".format( role, grp.getgrnam(getuser()).gr_name)) self.__execute_hs2_stmt("drop role {0}".format(role))
def test_impersonation(self): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 open_session_req = TCLIService.TOpenSessionReq() # Connected user is 'hue' open_session_req.username = '******' open_session_req.configuration = dict() # Delegated user is the current user open_session_req.configuration['impala.doas.user'] = getuser() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Try to query a table we are not authorized to access. self.session_handle = resp.sessionHandle execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch_seq.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) assert 'User \'%s\' does not have privileges to access' % getuser() in\ str(execute_statement_resp) assert self.__wait_for_audit_record(user=getuser(), impersonator='hue'),\ 'No matching audit event recorded in time window' # Now try the same operation on a table we are authorized to access. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = self.session_handle execute_statement_req.statement = "describe tpch.lineitem" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) TestHS2.check_response(execute_statement_resp) # Verify the correct user information is in the runtime profile query_id = operation_id_to_query_id( execute_statement_resp.operationHandle.operationId) profile_page = self.cluster.impalads[0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user=getuser(), delegated_user=getuser(), connected_user='******') # Try to user we are not authorized to delegate to. open_session_req.configuration['impala.doas.user'] = '******' resp = self.hs2_client.OpenSession(open_session_req) assert 'User \'hue\' is not authorized to delegate to \'some_user\'' in str(resp) # Create a new session which does not have a do_as_user. open_session_req.username = '******' open_session_req.configuration = dict() resp = self.hs2_client.OpenSession(open_session_req) TestHS2.check_response(resp) # Run a simple query, which should succeed. execute_statement_req = TCLIService.TExecuteStatementReq() execute_statement_req.sessionHandle = resp.sessionHandle execute_statement_req.statement = "select 1" execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) TestHS2.check_response(execute_statement_resp) # Verify the correct user information is in the runtime profile. Since there is # no do_as_user the Delegated User field should be empty. query_id = operation_id_to_query_id( execute_statement_resp.operationHandle.operationId) profile_page = self.cluster.impalads[0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user='******', delegated_user='', connected_user='******') self.socket.close() self.socket = None
def __test_impersonation(self, role): """End-to-end impersonation + authorization test. Expects authorization to be configured before running this test""" # TODO: To reuse the HS2 utility code from the TestHS2 test suite we need to import # the module within this test function, rather than as a top-level import. This way # the tests in that module will not get pulled when executing this test suite. The fix # is to split the utility code out of the TestHS2 class and support HS2 as a first # class citizen in our test framework. from tests.hs2.test_hs2 import TestHS2 try: self.session_handle = self.__open_hs2(getuser(), dict()).sessionHandle self.__execute_hs2_stmt("create role {0}".format(role)) self.__execute_hs2_stmt("grant all on table tpch.lineitem to role {0}" .format(role)) self.__execute_hs2_stmt("grant role {0} to group {1}" .format(role, grp.getgrnam(getuser()).gr_name)) self.__execute_hs2_stmt("grant role {0} to group {1}" .format(role, grp.getgrgid(os.getgid()).gr_name)) # Try to query a table we are not authorized to access self.session_handle = self.__open_hs2('hue', {'impala.doas.user': getuser()}).sessionHandle bad_resp = self.__execute_hs2_stmt("describe tpch_seq.lineitem", False) assert 'User \'%s\' does not have privileges to access' % getuser() in\ str(bad_resp) assert self.__wait_for_audit_record(user=getuser(), impersonator='hue'),\ 'No matching audit event recorded in time window' # Now try the same operation on a table we are authorized to access. good_resp = self.__execute_hs2_stmt("describe tpch.lineitem") TestHS2.check_response(good_resp) # Verify the correct user information is in the runtime profile query_id = operation_id_to_query_id( good_resp.operationHandle.operationId) profile_page = self.cluster.impalads[0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user=getuser(), delegated_user=getuser(), connected_user='******') # Try to user we are not authorized to delegate to. resp = self.__open_hs2('hue', {'impala.doas.user': '******'}, False) assert 'User \'hue\' is not authorized to delegate to \'some_user\'' in str(resp) # Create a new session which does not have a do_as_user and run a simple query. self.session_handle = self.__open_hs2('hue', dict()).sessionHandle resp = self.__execute_hs2_stmt("select 1") # Verify the correct user information is in the runtime profile. Since there is # no do_as_user the Delegated User field should be empty. query_id = operation_id_to_query_id(resp.operationHandle.operationId) profile_page = self.cluster.impalads[0].service.read_query_profile_page(query_id) self.__verify_profile_user_fields(profile_page, effective_user='******', delegated_user='', connected_user='******') finally: self.session_handle = self.__open_hs2(getuser(), dict()).sessionHandle self.__execute_hs2_stmt("grant all on server to role {0}".format(role)) self.__execute_hs2_stmt("grant role {0} to group {1}" .format(role, grp.getgrnam(getuser()).gr_name)) self.__execute_hs2_stmt("drop role {0}".format(role))